Re: Strange attacks

["Havoc" <havoc () threatlab com>]

I wouldn't consider this any new type of attack.  There are simple perl
scripts that have been available for years now that will alert on this kind
of activity.  Simply execute the script with the host IP you'd like to scan
and it goes to town checking for all known cgi, frontpage, iis, apache, etc,
vulnerabilities.

Now, a lot of alerts I recieve from snort are what I consider Internet
drive-by's.  SQL service scans, codes red, etc..  This scan you received I
feel is specific-- you were directly targeted and should raise your
awareness to a new level when investigating other suspicious activity.

-havoc.
----- Original Message -----
From: "opus" <opus () ircore com>
To: <Incidents () securityfocus com>
Sent: Friday, October 25, 2002 11:47 AM
Subject: Strange attacks


> Beginning on October 10th at 1:42am CDT what was considered a pretty
> significant attack took place.  These attack attempts were all web based.
> What is curious about these attacks is the number of unique strings used
> in the attacks.  In all there were 149 unique Snort rules triggered, from
> 5 attacks in 14 days.
>
> There were 5 total attacks to date, none of which were the same.  The last
> attack was the most aggressive and extensive.  A compiled list of the type
> of Snort rules that were triggered are at the end of this email.  These
> web servers are hardend and the attacks were not effective,  not to say
> that sooner or later i'll get bit.
>
> I didn't want to post the actual attack strings, even though the
> vulnerabilities are known, I don't want to provide some one with an easy
> way of creating an attack.  Obviously these are already
> scripted/automated, are these new?
>
> Has anyone else seen this?  I've not seen any mention of such attacks
> having taken place or have I been sleeping?  It's almost like some one
> took the Snort rules and created an attack string for each one.
>
> Attack 1
> Attack Began Oct 10 01:42:41 CDT
> Attack Ended Oct 10 01:57:32 CDT
> From a .tampabay.rr.com computer
> 1571 connection attempts
> Accross 17 web servers
> 6 unique Snort rules triggered
> 82 uniques HEAD and  3 GET strings that triggered the rules
>
> Attack 2
> Attack Began Oct 10 19:00:07 CDT
> Attack Ended Oct 10 19:03:43 CDT
> From a .nas-corp.com computer
> 693 connection attempts
> Accross 17 web servers
> 9 unique Snort rules triggered
> 82 uniques HEAD strings that triggered the rules
>
> Attack 3
> Attack Began Oct 10 19:04:21 CDT
> Attack Ended Oct 10 19:10:35 CDT
> From a .mylinuxisp.com computer
> 447 connection attempts
> Accross 17 web servers
> 7 unique Snort rules triggered
> 26 uniques HEAD strings that triggered the rules
>
> Attack 4
> Attack Began Oct 19 09:49:19 CDT
> Attack Ended Oct 19 09:52:29 CDT
> From a .apid.com computer
> 99 connection attempts
> Accross 17 web servers
> 4 unique Snort rules triggered
> 11 uniques GET strings that triggered the rules
>
> Attack 5
> Attack Began Oct 24 16:14:18 CDT
> Attack Ended Oct 24 16:30:18 CDT
> From a .adsl.fx.apol.com.tw computer
> 4242 connection attempts
> Accross 17 web servers
> 139 unique Snort rules triggered
> 343 uniques GET strings that triggered the rules
>
> WEB-ATTACKS /bin/ls| command attempt
> WEB-CGI aglimpse access
> WEB-CGI AnyForm2 access
> WEB-CGI args.bat access
> WEB-CGI AT-admin.cgi access
> WEB-CGI bnbform.cgi access
> WEB-CGI campas access
> WEB-CGI classifieds.cgi access
> WEB-CGI dumpenv.pl access
> WEB-CGI edit.pl access
> WEB-CGI environ.cgi access
> WEB-CGI faxsurvey access
> WEB-CGI filemail access
> WEB-CGI files.pl access
> WEB-CGI finger access
> WEB-CGI formmail access
> WEB-CGI glimpse access
> WEB-CGI htmlscript access
> WEB-CGI info2www access
> WEB-CGI maillist.pl access
> WEB-CGI man.sh access
> WEB-CGI NPH-publish access
> WEB-CGI nph-test-cgi access
> WEB-CGI perl.exe access
> WEB-CGI perlshop.cgi access
> WEB-CGI pfdisplay.cgi access
> WEB-CGI phf access
> WEB-CGI php access
> WEB-CGI ppdscgi.exe access
> WEB-CGI rguest.exe access
> WEB-CGI rsh access
> WEB-CGI rwwwshell.pl access
> WEB-CGI survey.cgi access
> WEB-CGI test-cgi access
> WEB-CGI testcounter.pl access
> WEB-CGI uploader.exe access
> WEB-CGI view-source access
> WEB-CGI visadmin.exe access
> WEB-CGI w3-msql access
> WEB-CGI wais.p access
> WEB-CGI webgais access
> WEB-CGI websendmail access
> WEB-CGI wguest.exe access
> WEB-CGI whoisraw access
> WEB-CGI win-c-sample.exe access
> WEB-CGI wrap access
> WEB-CGI wwwadmin.pl access
> WEB-CGI wwwboard passwd access
> WEB-CGI www-sql access
> WEB-COLDFUSION cfmlsyntaxcheck.cfm access
> WEB-COLDFUSION exampleapp access
> WEB-COLDFUSION exampleapp application.cfm
> WEB-COLDFUSION expeval access
> WEB-COLDFUSION exprcalc access
> WEB-COLDFUSION fileexists.cfm access
> WEB-COLDFUSION getfile.cfm access
> WEB-COLDFUSION snippets attempt
> WEB-COLDFUSION startstop DOS access
> WEB-FRONTPAGE administrators.pwd
> WEB-FRONTPAGE authors.pwd access
> WEB-FRONTPAGE dvwssr.dll access
> WEB-FRONTPAGE form_results access
> WEB-FRONTPAGE form_results.htm access
> WEB-FRONTPAGE fourdots request
> WEB-FRONTPAGE fpadmcgi.exe access
> WEB-FRONTPAGE fpadmin.htm access
> WEB-FRONTPAGE fpremadm.exe access
> WEB-FRONTPAGE orders.htm access
> WEB-FRONTPAGE orders.txt access
> WEB-FRONTPAGE register.htm access
> WEB-FRONTPAGE register.txt access
> WEB-FRONTPAGE registrations.htm access
> WEB-FRONTPAGE registrations.txt access
> WEB-FRONTPAGE service.pwd
> WEB-FRONTPAGE shtml.dll access
> WEB-FRONTPAGE shtml.exe access
> WEB-FRONTPAGE users.pwd access
> WEB-IIS .... access
> WEB-IIS admin access
> WEB-IIS .asp access
> WEB-IIS asp-dot attempt
> WEB-IIS CGImail.exe access
> WEB-IIS CodeRed v2 root.exe access
> WEB-IIS fpcount access
> WEB-IIS global-asa access
> WEB-IIS iissamples access
> WEB-IIS ISAPI .ida attempt
> WEB-IIS ISAPI .idq access
> WEB-IIS ISAPI .idq attempt
> WEB-IIS ISAPI .printer access
> WEB-IIS jet vba access
> WEB-IIS _mem_bin access
> WEB-IIS msadc/msadcs.dll access
> WEB-IIS /msadc/samples/ access
> WEB-IIS msdac access
> WEB-IIS MSProxy access
> WEB-IIS newdsn.exe access
> WEB-IIS Overflow-htr access
> WEB-IIS SAM Attempt
> WEB-IIS /scripts/samples/ access
> WEB-IIS search97.vts access
> WEB-IIS site server config access
> WEB-IIS Unicode2.pl script (File permission canonicalization)
> WEB-IIS uploadn.asp access
> WEB-IIS _vti_inf access
> WEB-MISC /....
> WEB-MISC adminlogin access
> WEB-MISC apache DOS attempt
> WEB-MISC ax-admin.cgi access
> WEB-MISC bigconf.cgi access
> WEB-MISC cachemgr.cgi access
> WEB-MISC cart 32 AdminPwd access
> WEB-MISC /cgi-bin/jj attempt
> WEB-MISC convert.bas access
> WEB-MISC count.cgi access
> WEB-MISC counter.exe access
> WEB-MISC cpshost.dll access
> WEB-MISC Domino catalog.ns access
> WEB-MISC Domino domcfg.nsf access
> WEB-MISC Domino domlog.nsf access
> WEB-MISC Domino log.nsf access
> WEB-MISC Domino names.nsf access
> WEB-MISC Ecommerce checks.txt access
> WEB-MISC Ecommerce import.txt access
> WEB-MISC /etc/passwd
> WEB-MISC get32.exe access
> WEB-MISC handler access
> WEB-MISC .htaccess access
> WEB-MISC .htpasswd access
> WEB-MISC http directory traversal
> WEB-MISC Lotus EditDoc attempt
> WEB-MISC mall log order access
> WEB-MISC order.log access
> WEB-MISC piranha passwd.php3 access
> WEB-MISC plusmail access
> WEB-MISC queryhit.htm access
> WEB-MISC /~root
> WEB-MISC shopping cart access access
> WEB-MISC showcode access
> WEB-MISC ultraboard access
> WEB-MISC viewcode access
> WEB-MISC webcart access
> WEB-MISC webdist.cgi access
> WEB-MISC ws_ftp.ini access
> WEB-MISC .wwwacl access
> WEB-MISC wwwboard.pl access
>
> --
>     .~.
>     /V\
>    /( )\
>    ^^-^^
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com